Basic implementation of TLS for memcached.1.5.13

Most of the work done by Tharanga. Some commits squashed in by dormando. Also reviewed by dormando. Tested, working, but experimental implementation of TLS for memcached. Enable with ./configure --enable-tls Requires OpenSSL 1.1.0 or better. See `memcached -h` output for usage.
author: Tharanga Gamaethige <tgamaethige@netflix.com> 2018-11-30 17:44:33 -0800
committer: dormando <dormando@rydia.net> 2019-04-15 21:36:18 -0700
commit: ee1cfe3bf9384d1a93545fc942e25bed6437d910 (patch)
tree: 2e880ddd3d263b85f2cf6de73b8eb15d14d02e37 /configure.ac
parent: d2dcfff7edd28baf3587ab103d6fbac322335a68 (diff)
download: memcached-ee1cfe3bf9384d1a93545fc942e25bed6437d910.tar.gz
1 files changed, 97 insertions, 0 deletions
diff --git a/configure.ac b/configure.ac
index abcb8ae..93046dc 100644
--- a/configure.ac
+++ b/configure.ac
@@ -100,6 +100,8 @@ AC_ARG_ENABLE(sasl_pwdb,
 AS_IF([test "x$enable_sasl_pwdb" = "xyes"],
       [enable_sasl=yes ])
 
+AC_ARG_ENABLE(tls,
+  [AS_HELP_STRING([--enable-tls], [Enable Transport Layer Security EXPERIMENTAL ])])
 
 
 dnl **********************************************************************
@@ -190,6 +192,10 @@ if test "x$enable_extstore" = "xyes"; then
     AC_DEFINE([EXTSTORE],1,[Set to nonzero if you want to enable extstore])
 fi
 
+if test "x$enable_tls" = "xyes"; then
+    AC_DEFINE([TLS],1,[Set to nonzero if you want to enable TLS])
+fi
+
 if test "x$enable_arm_crc32" = "xyes"; then
     AC_DEFINE([ARM_CRC32],1,[Set to nonzero if you want to enable ARMv8 crc32])
 fi
@@ -199,6 +205,8 @@ AM_CONDITIONAL([DTRACE_INSTRUMENT_OBJ],[test "$dtrace_instrument_obj" = "yes"])
 AM_CONDITIONAL([ENABLE_SASL],[test "$enable_sasl" = "yes"])
 AM_CONDITIONAL([ENABLE_EXTSTORE],[test "$enable_extstore" = "yes"])
 AM_CONDITIONAL([ENABLE_ARM_CRC32],[test "$enable_arm_crc32" = "yes"])
+AM_CONDITIONAL([ENABLE_TLS],[test "$enable_tls" = "yes"])
+
 
 AC_SUBST(DTRACE)
 AC_SUBST(DTRACEFLAGS)
@@ -354,6 +362,95 @@ if test $ac_cv_libevent_dir != "(system)"; then
   fi
 fi
 
+trylibssldir=""
+AC_ARG_WITH(libssl,
+       [  --with-libssl=PATH     Specify path to libssl installation ],
+       [
+                if test "x$withval" != "xno" ; then
+                        trylibssldir=$withval
+                fi
+       ]
+)
+
+dnl ----------------------------------------------------------------------------
+dnl libssl detection.  swiped from libevent.  modified for openssl detection.
+
+OPENSSL_URL=https://www.openssl.org/
+if test "x$enable_tls" = "xyes"; then
+  AC_CACHE_CHECK([for libssl directory], ac_cv_libssl_dir, [
+    saved_LIBS="$LIBS"
+    saved_LDFLAGS="$LDFLAGS"
+    saved_CPPFLAGS="$CPPFLAGS"
+    le_found=no
+    for ledir in $trylibssldir "" $prefix /usr/local ; do
+      LDFLAGS="$saved_LDFLAGS"
+      LIBS="-lssl -lcrypto $saved_LIBS"
+
+      # Skip the directory if it isn't there.
+      if test ! -z "$ledir" -a ! -d "$ledir" ; then
+         continue;
+      fi
+      if test ! -z "$ledir" ; then
+        if test -d "$ledir/lib" ; then
+          LDFLAGS="-L$ledir/lib $LDFLAGS"
+        else
+          LDFLAGS="-L$ledir $LDFLAGS"
+        fi
+        if test -d "$ledir/include" ; then
+          CPPFLAGS="-I$ledir/include $CPPFLAGS"
+        else
+          CPPFLAGS="-I$ledir $CPPFLAGS"
+        fi
+      fi
+      # Can I compile and link it?
+      AC_TRY_LINK([#include <sys/time.h>
+  #include <sys/types.h>
+  #include <assert.h>
+  #include <openssl/ssl.h>], [ SSL_CTX* ssl_ctx = SSL_CTX_new(TLS_server_method());
+                              assert(OPENSSL_VERSION_NUMBER >= 0x10100000L);],
+         [ libssl_linked=yes ], [ libssl_linked=no ])
+      if test $libssl_linked = yes; then
+         if test ! -z "$ledir" ; then
+           ac_cv_libssl_dir=$ledir
+           _myos=`echo $target_os | cut -f 1 -d .`
+           AS_IF(test "$SUNCC" = "yes" -o "x$_myos" = "xsolaris2",
+                 [saved_LDFLAGS="$saved_LDFLAGS -Wl,-R$ledir/lib"],
+                 [AS_IF(test "$GCC" = "yes",
+                       [saved_LDFLAGS="$saved_LDFLAGS -Wl,-rpath,$ledir/lib"])])
+         else
+           ac_cv_libssl_dir="(system)"
+         fi
+         le_found=yes
+         break
+      fi
+    done
+    LIBS="$saved_LIBS"
+    LDFLAGS="$saved_LDFLAGS"
+    CPPFLAGS="$saved_CPPFLAGS"
+    if test $le_found = no ; then
+      AC_MSG_ERROR([libssl (at least version 1.1.0) is required.  You can get it from $OPENSSL_URL
+
+        If it's already installed, specify its path using --with-libssl=/dir/
+  ])
+    fi
+  ])
+  LIBS="-lssl -lcrypto $LIBS"
+  if test $ac_cv_libssl_dir != "(system)"; then
+    if test -d "$ac_cv_libssl_dir/lib" ; then
+      LDFLAGS="-L$ac_cv_libssl_dir/lib $LDFLAGS"
+      le_libdir="$ac_cv_libssl_dir/lib"
+    else
+      LDFLAGS="-L$ac_cv_libssl_dir $LDFLAGS"
+      le_libdir="$ac_cv_libssl_dir"
+    fi
+    if test -d "$ac_cv_libssl_dir/include" ; then
+      CPPFLAGS="-I$ac_cv_libssl_dir/include $CPPFLAGS"
+    else
+      CPPFLAGS="-I$ac_cv_libssl_dir $CPPFLAGS"
+    fi
+  fi
+fi
+
 dnl ----------------------------------------------------------------------------
 
 AC_SEARCH_LIBS(umem_cache_create, umem)
author	Tharanga Gamaethige <tgamaethige@netflix.com>	2018-11-30 17:44:33 -0800
committer	dormando <dormando@rydia.net>	2019-04-15 21:36:18 -0700
commit	ee1cfe3bf9384d1a93545fc942e25bed6437d910 (patch)
tree	2e880ddd3d263b85f2cf6de73b8eb15d14d02e37 /configure.ac
parent	d2dcfff7edd28baf3587ab103d6fbac322335a68 (diff)
download	memcached-ee1cfe3bf9384d1a93545fc942e25bed6437d910.tar.gz